Cybersecurity

Assessing It Department Performance And Staffing

Learn how to evaluate IT department efficiency and staffing needs using key performance indicators and strategic assessment methodologies.
Quick Links:
No items found.
No items found.

What is the appropriate staffing size and skill set for your institution’s IT Department?  This question is frequently asked by Executive Management and Board Members.  While IT Management is generally aware of their department’s strengths and weaknesses, they often seek industry and peer statistics to support requests for changes in staffing numbers and additional training to ensure technical competency.  

NETBankAudit has the benefit of partnering with over 800 organizations, largely community financial institutions, which has allowed us to observe the effectiveness of IT Departments with a wide range of staff sizes and skill sets.  Our auditors and engineers are often asked for peer statistics and industry standards for IT Department staffing and we are always happy to share our experience.  This article summarizes our observations.

Key Drivers of IT Staffing Needs

Financial Institution Profile and IT Resources

The optimum IT Department staffing requirements are determined by the profile and related IT resource requirements for the respective financial institution.  Critical factors include the number of locations, number of employees, and reliance on third party service providers for IT resources (e.g., core system, network services, and support functions). 

Generally, asset size alone is not a useful measure for determining IT staffing requirements as such does not take into account the institution’s business strategy (e.g., retail focus with numerous office locations vs. commercial or wealth management focus with few locations).  Ultimately, the IT Department staffing size and composition will depend on the number of employees, locations, devices and systems/applications that require local support and maintenance.  

The institution’s decision to outsource certain IT resources also factors into the number of staff members and related skill sets that are required.  Many institutions contract with third party service providers for core system hosting.  A significant number also outsource network monitoring and maintenance, in addition to server hosting and management.  However, it is noted that regardless of the number and nature of services that are outsourced, the financial institution remains responsible for their overall performance and security.  Accordingly, while the functions may be hosted by third parties, responsibility for oversight and monitoring is still required.

Internal vs. Outsourced IT Resources
Internal vs. Outsourced IT Resources

Key Factors for IT Department Staffing

There are several factors that distinguish IT Department composition, including the number of staff members, their technical expertise, their experience with IT and with the respective institution, in addition to the organization itself (reporting structure and culture).  These key factors and related considerations are discussed below.

Staffing Size

As noted above, the number of offices and geographic locations, in addition to the number of employees and endpoint devices that are supported, are key considerations in determining the appropriate number of IT Department staff members and related skill sets.  Current industry statistics indicate that, for smaller companies (under 500 employees), a ratio of one IT staff member per 18 users is common, while larger companies (over 10,000) may see a ratio of one IT staff member per 40 users. Some research suggests a ratio of 70:1 for companies with a simple IT environment and 45:1 for more complex environments.  

Staffing Size Benchmarks for IT Departments
Staffing Size Benchmarks for IT Departments

Technical Expertise

While the number of IT staff members might be assessed based on the number of employees and locations, the skill level and technical expertise is an important consideration.  This also depends greatly on the institution’s dependence on third party service providers for core system and network services.  Specific skill requirements may be warranted for in-house core systems (e.g., host system maintenance, program interface development, and related support).  Such may be addressed by a combination of internal and external (e.g., contractor) resources.  Technical support for network services is also dependent on the scope of internally supported and outsourced services (e.g., managed network environment, hosted servers, and related maintenance).  

Experience 

The level and depth of IT technical experience, in addition to experience with the respective institution’s environment also play a key role in determining staffing requirements.  Experienced staff with several years of history with the institution provide additional value in terms of efficiency and expertise that is not easily replaced by new staff members, regardless of their education and prior job history.  Accordingly, provisions for backup/cross-training and written procedures are important considerations to ensure knowledge transfer. 

Organizational Structure

Every institution has a unique organizational structure which greatly influences its target IT Department size and composition.  The institution’s organizational structure involves the oversight roles and reporting lines that are in place for all business departments, including Information Technology.  However, this structure can vary significantly from one institution to another.  Specifically, the roles of the Chief Technology Officer, Chief Information Officer, Chief Operations Officer, and Information Security Officer and their related oversight duties varies for each organization.  In some institutions, these roles may be absent or combined.  The respective departments and/or functional areas that report to these roles (e.g., Network Services, Deposit Operations, Loan Operations, Electronic/Digital Services) also varies and affects the number of resources required to support these functions.  In addition, responsibility for additional IT related programs (e.g., Vendor Management, Project Management, and Business Continuity Management) significantly affects the number of resources that are required to address these areas.   

Culture

The culture of each institution is unique and reflects its executive management’s history and strategy.  Such has a significant impact on IT Department staffing as the “tone from the top”  can serve as a strong motivator for productivity and work ethic.  It can also adversely affect performance when employees do not feel that they are recognized and valued.  Even in very small organizations with limited opportunities for promotions and management positions, employees can be motivated and incented by challenging work assignments, training opportunities, and recognition.

Critical Factors Beyond Staffing Numbers for IT Teams
Critical Factors Beyond Staffing Numbers for IT Teams

Assessing IT Department Staffing Adequacy

While there are no reliable statistics for benchmarking IT Department staffing in terms of numbers and positions, management can assess the effectiveness of their IT Department by monitoring certain performance indicators as discussed below.

Performance and Evaluation Assessments

The performance of the IT Department can be evaluated based on activities that are performed and their effectiveness.  Problems, exceptions, and other issues may be identified by internal and external audits, in addition to regulatory examinations.  Increases in the number and significance of IT department related exceptions that are identified in audit and examination reports can indicate staffing and resource concerns.

Service/Help Desk Activity

The Help/Service Desk System can serve as a valuable resource for monitoring IT Department performance.  Generally, most IT Service Desk/Ticketing Systems can provide reports summarizing activity detailing ticket status by category, assignment, and duration.  This information can be leveraged to determine the issues that are requiring the most time by IT staff and identify opportunities to provide solutions to common problems (e.g., password resets).  Additionally, trends in ticket aging (resolution time) can be helpful to identify the potential need for additional support resources.

General Observations

Depending on the expertise of IT Staff, size and location(s) of the IT Department, and provisions for oversight and administration, general observations can help to identify potential problems and concerns.  Specifically, regardless of whether the IT Staff is located onsite at a central location, assigned to designated regional locations, or working from remote locations, provisions for regular team meetings, and real time communications are warranted.  In addition, regular feedback between IT management and staff members is essential to ensure that procedures and priorities are understood and met. 

Recommendations for Ensuring Continued IT Department Staffing Adequacy

The institution’s Board of Directors, IT Steering Committee, and IT Department Management are responsible for ensuring that appropriate internal and external resources are in place to support the institution’s IT and Operational functions. To ensure that this objective is met, the following recommendations are outlined. 

Succession Planning

All financial institutions should have an IT Department and Information Security Succession Plan that addresses short and long term plans in the event of an unexpected loss of key staff members.  While the plan should focus on IT and Information Security Leadership (e.g., CIO, COO, ISO), it should also address critical IT Department positions (e.g., Network Administrator).

Backup/Cross Training

To support the institution’s IT Department succession plans, cross training within the IT Department is an important consideration.  Job sharing and backup training activities should be considered to ensure that existing employees can stand in for one another in the event of an unexpected absence.

Ongoing Training Opportunities and Motivational Programs

The retention of existing IT Department staff members is an important consideration, particularly for institutions that are smaller and have fewer opportunities for promotions to higher level positions.  It is critical to ensure that existing staff members feel that they are valued and that they have opportunities for individual growth and development regardless of whether this involves a job title.  To ensure that these employees feel valued and remain dedicated to the institution’s goals and objectives, management should consider offering educational opportunities, challenging project assignments, and other means of recognition to recognize these valued employees.

Summary and Conclusion

IT Department staffing requirements are unique for each financial institution and depend on their respective size, complexity, business strategy, and outsourcing strategy.  There are no industry statistics or benchmarks for determining the adequacy of an institution’s IT department in terms of numbers and job titles/positions.  However, there are a number of measures that a financial institution can leverage to determine whether its IT Department is appropriately staffed.  Such include the results of audit and examination reports, in addition to Help Desk/Service Desk tickets and related statistics for problem/event categories and ticket aging (resolution time).  Staff morale can also be measured by turnover and attendance measures.  

 
class SampleComponent extends React.Component { 
  // using the experimental public class field syntax below. We can also attach  
  // the contextType to the current class 
  static contextType = ColorContext; 
  render() { 
    return <Button color={this.color} /> 
  } 
}
Table of Contents
This is also a heading
This is also a heading
This is a heading

Mitigate Risks with Comprehensive Audits & Assessments

Request For Proposal
NEWS & ARTICLES

Explore Our Learning Center

View All Articles
Industry News
Insights From BSA Coalition’s AI and Fraud Webinar
Explore key takeaways from the BSA Coalition’s AI and Fraud webinar, including deepfake risks, synthetic ID fraud, governance gaps, and practical strategies for financial institutions to stay secure and compliant.
Read more
Industry News
NETBankAudit Announces Elaine Rudolph-Carter as Regulatory Oversight and BSA Specialist
NETBankAudit welcomes Elaine Rudolph-Carter as Regulatory Oversight and BSA Specialist. With decades of experience at the Federal Reserve and as a BSA Coalition co-founder, Elaine enhances our compliance and audit expertise.
Read more
Cybersecurity
Social Engineering Testing: Safeguarding Financial Institutions from Human-Centric Cyber Threats
Discover how financial institutions can protect against social engineering attacks through phishing, vishing, pretexting, and more. Learn the value of internal and third-party testing to strengthen employee awareness and regulatory compliance.
Read more
Compliance
Flood Disaster Protection Act: Lender Compliance, Insurance Requirements, and Regulatory Oversight
Understand lender obligations under the Flood Disaster Protection Act, including flood insurance purchase requirements, force placement, escrow management, and private policy acceptance. Essential guidance for financial institutions.
Read more
Compliance
Regulation B – Equal Credit Opportunity Act: Practical Guide for Fair Lending Compliance
Explore key requirements of Regulation B and the Equal Credit Opportunity Act, including fair lending rules, prohibited practices, application standards, and recent enforcement actions. Essential for compliance professionals in financial services.
Read more
Compliance
Right to Financial Privacy Act: Safeguarding Customer Financial Records from Unwarranted Government Access
Learn how the Right to Financial Privacy Act (RFPA) protects customer financial records from unwarranted government access. This guide explains RFPA procedures, exceptions, enforcement actions, and how financial institutions can stay compliant.
Read more
Risk Assessments
Independent Network Testing Requirements And Recommendations
Explore essential network testing protocols and best practices to ensure optimal performance, reliability, and compliance in modern IT infrastructures.
Read more
Cybersecurity
Assessing It Department Performance And Staffing
Learn how to evaluate IT department efficiency and staffing needs using key performance indicators and strategic assessment methodologies.
Read more
Cybersecurity
Artificial Intelligence: Opportunities And Threats for Financial Institutions
Understand the risks and benefits of AI in financial institutions, with actionable strategies to ensure ethical use, regulatory compliance, and resilience.
Read more
Compliance
Regulatory Landscape Shift: What is the Status of CFPB and Other Regulatory Agencies?
Stay ahead of U.S. regulatory changes impacting financial institutions, including CFPB restructuring, OCC priorities, and Basel III Endgame considerations.
Read more
Cybersecurity
Vulnerability & Patch Management in Financial Institutions
Discover a compliance-first approach to vulnerability and patch management, minimizing security risks within financial organizations.
Read more
Compliance
Understanding Customer Identification Program (CIP) Requirements
Gain insights into CIP mandates for financial institutions, ensuring compliance with KYC regulations and enhancing customer verification processes.
Read more
Cybersecurity
Ransomware in 2025: A Persistent Threat in a Shifting Landscape
Analyze the diminishing influence of ransomware groups and understand the factors contributing to their reduced impact in the cybersecurity landscape.
Read more
Cybersecurity
Generative AI Controls and Risk Assessments for Financial Institutions 
Uncover potential risks of generative AI, including ethical, legal, and operational challenges, and learn strategies to mitigate them effectively.
Read more
Risk Assessments
Enhanced Due Diligence: A Practical Guide for Compliance Officers in Financial Institutions
Explore how Enhanced Due Diligence protects financial institutions from high-risk clients by meeting FATF, FinCEN, and FFIEC compliance expectations.
Read more
Risk Assessments
The CRI Cyber Profile: A Guide for Financial Institutions
Learn how the CRI Cyber Profile helps financial institutions meet FFIEC standards through scalable risk assessments and enhanced regulatory alignment.
Read more
Compliance
Protecting Elderly Customers: NETBankAudit's Elder Fraud (EFE) Audit Services
NETBankAudit offers specialized Elder Fraud Audit Services designed to help financial institutions detect, prevent, and respond effectively to EFE, ensuring compliance with regulatory standards and reinforcing trust with their customers.
Read more
Compliance
Key Findings from NETBankAudit’s 2024 BSA/AML Audits and MIS Verification Audits
View results of over 30 Bank Secrecy Act (BSA) Compliance Audits across community banks, credit unions, and other financial institutions in 2024.
Read more
Compliance
Guide to Currency Transaction Reports (CTRs): Strategies and Best Practices
Currency Transaction Reports (CTRs) serve as critical tools in the fight against money laundering, terrorist financing, and other financial crimes.
Read more
Compliance
Enhancing Transaction Monitoring and Suspicious Activity Reporting: Strategies for Effective Compliance
Learn about Transaction Monitoring and Suspicious Activity Reporting best practices for Financial Institutions.
Read more
Compliance
Risk Assessment Best Practices for BSA/AML/CFT and OFAC Compliance
Fortify your institution’s BSA AML risk assessment processes by weaving together best practices, real-world examples, and authoritative guidance from global regulatory entities.
Read more
Compliance
Emerging Threats to BSA/AML/CFT and OFAC Compliance: Navigating AI, Cryptocurrency, and Machine Learning Risks
Understand the impact of emerging technologies such as AI, Machine Learning, Crypto and more on BSA, AML and CFT compliance.
Read more
Industry News
Key Cybersecurity Deadlines and New DFS Requirements Coming in 2025
Updates on The New York Department of Financial Services (DFS) new requirements under its amended Cybersecurity Regulation (23 NYCRR Part 500).
Read more
Industry News
FFIEC CAT Sunset Prep: A Guide to NIST CSF 2.0, CRI Cyber Profile & CIS Controls
With the Federal Financial Institutions Examination Council (FFIEC) announcing the sunset of the Cybersecurity Assessment Tool (CAT) by August 31, 2025, financial institutions must pivot to new resources to manage cybersecurity risks effectively.
Read more
Compliance
FCA Final Rule on Cyber Risk Management: The 2025 Guide for Financial Institutions
The Farm Credit Administration (FCA) has issued a groundbreaking final rule on Cyber Risk Management, reshaping how institutions within the Farm Credit System (FCS) address cybersecurity.
Read more
Cybersecurity
Farm Credit Administration Guidance on Navigating AI and Emerging Cybersecurity Risks
Discover how the Farm Credit Administration's guidance helps financial institutions navigate AI integration and emerging cybersecurity risks. Learn key strategies for compliance and effective risk management.
Read more
Industry News
2024 Annual Audit and Exam Issues: Insights from NETBankAudit
A 2024 survey of examination and audit issues collected from over 250 audit engagements to assist our clients in identifying commonly reported examination and audit issues.
Read more
Compliance
Understanding Placement, Layering, and Integration: The Core Stages of Money Laundering
This guide delves into each stage of money laundering—Placement, Layering, and Integration— highlighting common methods, red flags, and the challenges inherent in detection.
Read more
Compliance
Structuring and Smurfing Explained: Strengthening AML Compliance
This guide delves into the definitions, methods, legal implications, real-world examples, and best practices associated with structuring and smurfing, providing actionable insights to bolster compliance programs.
Read more
Compliance
Circular Transactions & Funnel Accounts: Unveiling Money Laundering Tactics
This guide delves into the methodologies of circular transactions and funnel accounts, highlights red flags for their identification, and provides actionable best practices for robust compliance.
Read more
Compliance
Navigating BSA, AML, CFT and OFAC: An Overview of Finance Regulations
This guide provides an overview of the Bank Secrecy Act (BSA), Anti-Money Laundering (AML) protocols, and Office of Foreign Assets Control (OFAC) regulations.
Read more
Cybersecurity
Elder Financial Exploitation and Fraud: What You Need to Know
This article delves into the scope, trends, and impacts of elder fraud, highlighting red flags and strategies to protect one of society’s most vulnerable groups.
Read more
Risk Assessments
Understanding Gift Card Scams: Regulations, Risks, and Tips for Safe Usage
Learn about gift card scams including essential regulations, common risks, and actionable tips to ensure you can use gift cards wisely and securely.
Read more
Risk Assessments
FFIEC Development, Acquisition, and Maintenance (DA&M) Booklet: What You Need to Know
Understand the FFIEC's Development, Acquisition, and Maintenance (DA&M) Booklet including key updates and their implications on financial entities.
Read more
Cybersecurity
Phishing in Financial Services: Protecting Your Institution Against Cyber Threats
Phishing Attacks on financial institutions are increasing in frequency and complexity. We explain the tactics, regulations and strategies to protect your institution from cyber threats.
Read more
Cybersecurity
Penetration Testing Methodology and Procedures for Financial Institutions
Learn the process, methodologies, tools, and best practices for conducting effective penetration tests in financial institutions.
Read more
Cybersecurity
IT Governance: Aligning Technology with Business Strategy for Optimal Performance
Explore how financial institutions can implement effective IT governance frameworks to align their technology initiatives with business objectives, manage risks, and ensure regulatory compliance.
Read more
Cybersecurity
Common Cybersecurity Attacks and Penetration Testing Solutions For Financial Institutions
Understand common cybersecurity attacks and penetration testing solutions to mitigate risk in an increasingly sophisticated environment.
Read more
Industry News
Bank-Fintech Partnerships: Analysis of the Federal Reserve Board's 2024 Guidance
Analysis of bank-fintech partnerships, risks, and regulatory programs with a focus on the Federal Reserve Board's 2024 guidance.
Read more
Industry News
Risks and Strategies for AI Cybersecurity Risks: Key Takeaways from NY DFS Letter
Learn key AI cybersecurity risks and controls from the October 2024 letter from New York Department of Financial Services
Read more
Cybersecurity
IT Risk Management Solutions for Financial Services: Safeguarding Your Digital Assets
This article explores key IT risk management solutions for the financial sector, offering practical insights to help institutions protect their digital assets and maintain regulatory compliance.
Read more
Cybersecurity
IT Business Continuity Plans for Financial Institutions
This article explores the essential components of IT business continuity planning, emphasizing the unique needs of financial institutions drawing from FFIEC guidance.
Read more
Cybersecurity
IT Change Management for Financial Services
This guide covers IT change management for financial services, providing insights, best practices, and strategies for successfully navigating the complexities of managing IT changes.
Read more
Cybersecurity
Data Assurance in Financial Services: Ensuring Integrity of Financial Information
This guide delves into the critical aspects of data assurance in financial services, offering insights, best practices, and forward-looking perspectives to help you navigate this complex field.
Read more
Cybersecurity
IT Crisis Management Guide for Financial Services: Protecting Your Institution
This guide explores the critical aspects of IT crisis management in financial services, offering insights and strategies to help financial institutions navigate through disasters.
Read more
Industry News
2023 Annual Audit and Exam Issues: Insights from NETBankAudit
Read NETBankAudit's insights from the 2023 audit season, based on over 250 audit and over 750 technical testing engagements with financial institutions.
Read more
Compliance
Customer Due Diligence (CDD) Guide for Financial Institutions
Learn best practices for of Customer Due Diligence (CDD) for financial institutions, designed to prevent money laundering, terrorist financing, and other financial crimes.
Read more
Risk Assessments
Ransomware Assessment Facilitation for Financial Institutions
Get an in-depth look at ransomware assessment facilitation, focusing on the tools and strategies available to financial institutions to protect themselves against this pervasive threat.
Read more
Risk Assessments
URSIT Analysis – A Six Part Whitepaper Series
Learn about the the Uniform Rating System for Information Technology (URSIT) and the importance for financial services risk management.
Read more
Compliance
CECL Model and Validation: Ensuring Compliance with Regulatory Requirements
Learn about the Current Expected Credit Loss (CECL) model, introduced by the Financial Accounting Standards Board (FASB) with best practices for model validation.
Read more
Cybersecurity
IT Network Security Management: Protecting Your Digital Assets
Explore the key components of IT network security management, best practices for implementation, and emerging trends that are shaping the future of cybersecurity.
Read more
Cybersecurity
IT Security Incident Reporting: A Guide for Financial Institutions
Explore the critical aspects of IT security incident reporting, tailored specifically for smaller financial institutions.
Read more
Cybersecurity
Guide to Cybersecurity Assessments for Financial Institutions
A guide to cybersecurity assessments for financial institutions including guidance for the discontinuation of the CAT in 2025 and the shift to NIST 2.0 and CISA CPGs.
Read more
NETBankAudit Logo PNG
2024 NETBankAudit. All Rights Reserved.
Privacy PolicyTerms of Service
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept